Court Says IP Addresses Aren't Personally Identifiable Information

from the ok... dept

We've noted that in Europe, IP addresses are considered private info, and I've pointed out that I don't think IP addresses, by themselves, should be considered private. I agree that combined with other identifying information an IP address can reveal info about you, but just the numbers alone are not private. And it appears a judge agrees, noting that IP addresses are not "personally identifiable" information (sent in by Dave Barnes). I'm actually surprised about this, because most people seem to disagree with me on IP addresses. However, this does raise a separate question: if courts say IP addresses are not personally identifiable, then does that shoot a large hole in most of the RIAA cases which rely on IP addresses? After all, the judge in this ruling said:

"In order for 'personally identifiable information' to be personally identifiable, it must identify a person. But an IP address identifies a computer."

Interesting...

>> "In order for 'personally identifiable information' to be personally identifiable, it must identify a person. But an IP address identifies a computer."

This is a bit of nitpicking, but an IP address identifies a addressable device and not necessarily just computers. That device in turn can be a router, phone, computer, or microwave oven for that matter. The big issue I have with saying an IP address identifies a computer is that many times the IP address identifies a NAT based router or proxy server which further hides the true device making the request and of course has no provable correlation to the person that may or may not have been involved in said request.

Sometimes this stuff really is scary... even the folks that get it, sort of, don't get it.

An IP address does not identify a piece of hardware at all. It identifies an addressable connection to the Internet. There is no way of knowing what is at the endpoint of that connection. I can connect a computer today, a different computer tomorrow, and a router the day after that. Depending on the upstream equipment, I may have to clone/fudge MAC IDs, but in general, there is no possible way for anyone to know what is connected to a particular IP.

However, combined with a date and time and relevant ISP records, an IP address does identify the subscriber to whom a connection was contractually supplied. The degree to which the subscriber is responsible for activity on that connection, regardless of whether he or she is aware of it, I presume is a convoluted legal matter; but at least it ought to be understood that the link between an IP and a person is exactly that. I should think it would be much like being the registered owner of a car: while that doesn't prove you were driving it at any given time, it generally still confers a certain degree of legal responsibility.

Other numbers too

And street address just identify building locations, phone numbers just identify telephones, license plate numbers just identify automobiles, etc., etc.. None of those actually identify a person, although a person may be associated with them. So that would make none of that protected personal information.

I wonder though if someone might now argue that social security numbers only identify social security accounts and not actual people.

To Anon Coward. "Routers, especially, are just specialized computers" while this is true. Freedom is pointing out that pinpointing a computer doesn't pinpoint a user. And an IP on a router, can not even pinpoint a computer, let alone a user. My wireless router has 4-6 computers attached to it depending on the day.

Re: Other numbers too

Social security numbers alone are not personal information under most laws/regulations. Usually you have to have first name (or initial) and last name + the SSN before you have anything that needs to be treated as PII

Even more...

The judge was too limiting when he said that an IP address identifies a computer. It may identify a router or proxy server or similar device. When using, for example, a router, your computer's IP address is totally isolated from the outside world and just because you may be connected to a router with its own IP address doesn't even mean you are in the same physical location as the router (merely the general vicinity in the case of a wireless router).

You can mask an IP if you know what you are doing. You can also remain unknown especially since there are company that will provide you an internet connection no questions ask and don't have to provide anyone else including the law. Sure the FBI can subpoena this info but that comes back to being able to mask your IP. MY IP address changes every time I connect to the internet. If you know what you are doing, you can be unknown and do what you want.

Re:

I should think it would be much like being the registered owner of a car: while that doesn't prove you were driving it at any given time, it generally still confers a certain degree of legal responsibility.

The registered owner of an IP address is usually an ISP, not some subscriber that they temporarily let use it.

Re: Re:

Re:

Freedom is pointing out that pinpointing a computer doesn't pinpoint a user.

I didn't say otherwise, but Freedom said he had an "issue" with the idea that someone might say that an IP address was assigned to a "computer" when it was assigned to a "router", indicating that he thought routers were not computers, which is not accurate and why I pointed it out. Sorry if that bothers you.

Re: Typo

Re:

No quite. While you *can* hide behind a NAT box or a proxy server, you can't "mask" your IP address. You could forge the packets you transmit with a different IP, but then you'd never get a response.

Unless you pay in cash, your ISP certainly knows who you are. Even on the off chance they don't, they know physically where you end-point (telephone, cable, dsl, etc modem) is located. So, you are entirely traceable.

Re: Re:

Thank goodness that in civil litigation the standard of proof is by a "preponderance of the evidence", and not the apparently wished for standard by many of the commenters at this site of "proof to an absolute degree of certainty and nothing less."

For example, Ms. Thomas in Minnesota was not held liable based solely on her IP address. It was the cumulative effect of an IP address associated with her internet account, the sudden "failure" and replacement of her hard drive right after she received a notice that her address was associated with unauthorized downloading using a p2p client, a hardwired router versus a wireless router, and a host of other evidence submitted at trial that obviously convinced the jury that more likely than not she was the one responsible for downloading and sharing unauthorized content. She had the opportunity to rebut the plaintiff's evidence before two juries, each of which did not find her testimony credible and determined she was liable.

Cases such as these are not built merely on an IP address. It is just a starting point from which a plaintiff must gather and present significantly more evidence to a court.

I know that the Thomas case is not the subject of this article, but it seems fair to mention it in order to address what is apparently a widespread misunderstanding of how our legal system actually works.

Re: Re:

Unless you pay in cash, your ISP certainly knows who you are.

Not quite. They may know who is billed for the service, but that doesn't mean they know who is sitting at the keyboard of some computer using that service. So "you" are not "entirely traceable" by that alone.

Thank goodness that in civil litigation the standard of proof is by a "preponderance of the evidence", and not the apparently wished for standard by many of the commenters at this site of "proof to an absolute degree of certainty and nothing less."

I don't think that exists even in criminal cases.

For example, Ms. Thomas in Minnesota was not held liable based solely on her IP address.

Who said she was? Your straw man?

Cases such as these are not built merely on an IP address.

However, that is often what legal threats, accusations and settlement offers are often based on. Then, when push comes to shove, such cases are often dropped before they can be decided in court. The Thomas case was an exception because they had so much other evidence to go along with the address and to characterize the Thomas case as typical is misleading.

I know that the Thomas case is not the subject of this article...

Nor, as I said, typical.

...but it seems fair to mention it in order to address what is apparently a widespread misunderstanding of how our legal system actually works.

The way it works is that even innocent people can be bullied into settling just because they can't afford to defend themselves. What a great system.

Point of Civil Procedure

Having an IP address which on its face shows illegal/infringing activity running through it may be enough to persuade a judge to issue a subpoena for the rest of the information needed to commence a civil action. Once commenced, any additional parties that may need to be added can come out in the discovery phase.

Re:

"For example, Ms. Thomas in Minnesota was not held liable based solely on her IP address. It was the cumulative effect of an IP address associated with her internet account, the sudden "failure" and replacement of her hard drive right after she received a notice that her address was associated with unauthorized downloading using a p2p client, a hardwired router versus a wireless router, and a host of other evidence submitted at trial that obviously convinced the jury that more likely than not she was the one responsible for downloading and sharing unauthorized content. She had the opportunity to rebut the plaintiff's evidence before two juries, each of which did not find her testimony credible and determined she was liable."

It is not hard for one to accept that she MOST LIKELY did down load music.

What is hard is to accept what the potential penalties are.

All based on investigations that are not able to actually identify who did what besides which are themself most likely illegal.

Re:

Could the same logic be applied to phone numbers ?

1) Your phone number, via caller id, is associated with infringing activity
2) This alone is used to make threats and seak payment
3) Search warrent is granted and items confiscated
4) Oh, did I mention that caller id can be spoofed

IP Address Is Soft-Serve

Here's a little anecdote.
----
I recently wrote a mashup application that helped reconcile a customer's Network management software with their in-house Asset management software.

There was a high order of corruption in their Asset records due to the fact that they decided to end-around the network management software and discover, then TIE the IP address of a device to the Asset record of physical devices.

The problem is that there is a clear dichotomy between NETWORK management and ASSET management. Network management deals with the ever-flexible "what is out there right now, live on the network, and how is it currently configured". Asset management is supposed to track a physical device from purchase/lease through disposal.

The simple fact their Asset management devs overlooked is that IP addresses are soft - mutable and transportable. The hardware is real, complete with stickers and mass, and might be assigned hundreds of IP addresses in its lifetime. Not only that, but the network interface card within a system can be portable, making even the MAC address (yes, also spoofable) a dodgy way to track a multi-component SYSTEM.
----
An IP address is absolutely not Personally Identifiable information about a human. Neither should an IP address be considered a legal way to identify a SYSTEM beyond reasonable doubt.

Even though we can usually track IP addresses to systems to users *in the moment*, the information 'on-the-wire' can still be falsified. Not to mention the ease rapidity with which network management records can be plugged by a semi-competent corporate hack.

Not even that - technically. It identifies a 'host' on a network that can change.

Really, it's a temporary mapping - that can be changed at anytime by a person that has some basic knowledge - I can just reset my cable modem and *poof* - magically, I get a new IP address.

The MAC address does in fact identify - not a computer still - but a network interface. I could have multiple IP addresses and MAC addresses on a single PC - I could also have a PC with neither a MAC address or an IP address.

The only real "link" is a log on a server. Usually in plain text. So - let's assume some guy at your ISP is a download *fiend* - how hard would it be for him/her to do a find and replace on a text file? Seriously.

Privacy and social contract

While the first, striking thing about this is the judge’s misconception that an IP address identifies a computer, that’s not the worst of it.

According to the article linked in the Techdirt post, the statement quoted was part of the dismissal of a suit in which consumers alleged that Microsoft violated its user agreement by “collecting” IP addresses while stating that it would not collect any “personally identifiable information.”

Since it is impossible to communicate on the Internet without temporarily obtaining the IP address of the other party, I presume they mean that Microsoft retained a list the of IP addresses involved.

Now, what could “personally identifiable information” mean to an ordinary person reading a user agreement? How about a street address, a license plate number or a telephone number? None of these “identify a person,” as the judge claims “personally identifiable information” must do; but of course, these things are exactly what we understand the term to include. “Personally identifiable information” is information that can be used, either by itself or with other available information, to provide significant help in identifying someone — either by connecting the information to a standard form of identification (such as a name or social security number), or by recognizing when the same person is encountered again in the future (such as with a tracking cookie). It is also quite sufficient to fall within an ordinary understanding of the phrase if the information makes it probable (not necessarily certain) that the person in question is a member of a close unit (such as a family or household) that can be identified or recognized.

Privacy is less straightforward, and complicated by two different senses of the word. My street address is not “private” in the sense that my diary is private: anyone can stand on the street in front of my house and determine my address, while no one can (legally) sneak into my home and read my diary. We also use the word “private” to describe how we expect an entity which acquires information about us to behave in regard to that information. In this context, “private” is not so much a characteristic of the information as an indication that there are limits we expect the entity which gathers the information to honor. These limits come from a shared (or not) understanding of what constitutes civilized behavior. If I give you my phone number, I have an expectation of what you might do with it, and what you should not do with it. I probably won’t be disturbed if you give it to UPS to help them deliver a package you’ve sent to my house; I probably will be upset if you write it on the bathroom wall in the local park.

As the ability to store, aggregate and cross-reference data has exploded, the idea of “private” as a yes-or-no attribute is no longer very useful. There is still, of course, the privacy of the diary, whether it’s on paper or in a computer file; but the other sort of privacy — the one involved in user agreements and privacy policies — is no longer comprehensible in terms of one bit of information being private and another public. Information about you that can be used against you is out there; privacy now must concern what uses of information are socially and legally acceptable, and how easy it is for entities which might not honor social and legal boundaries to access sensitive information. (They can get it if they work hard enough; practicality, not possibility, is the realistic limitation.)

I contend, for example, that though a prospective employer obviously could search LiveJournal or Facebook, or your private web site, for information about you, it should be seen as improper to use that as input to a hiring decision (unless you’ve freely offered it as a reference). Our ability to speak our minds should not be dictated by fear of future unemployment. This is an example where the information itself can’t be called “private” in any real sense — it’s intentionally been posted for all to see — yet some uses of that information impinge on our liberty (effectively creating a kind of “prior restraint”), and I think those uses can reasonably be said to invade our privacy.

It makes no sense to say an IP address, or any other data, is private, or not private; what is relevant, if you are retaining data, is why you are keeping it, and what you will do (or allow to be done) with it. If you are providing added value to your users, that’s generally good; but if your use of data about your users subjects them to unwelcome intrusions, or exposes information about them that they would have preferred not be so widely or easily known, or just generally works against them (even if you don’t disclose the data to a third party), they will consider it a breach of privacy.

I have doubts that much of this can be handled sensibly by law; most respect for the boundaries of privacy will have to grow from recognition of the value of reputation. It is perhaps possible that law could help by requiring greater transparency in the handling of data — for the most part, not limiting what businesses can do with data, but insisting that how any data collected on the web is used must be made known, in detail, to the public, and not merely disclaimed in a vague user agreement or privacy policy.

"Last month, Jones sided with Microsoft and dismissed the case before trial. "

"Jones issued the ruling in the context of a class-action lawsuit brought by consumers "

hmmm, so the fact that this single judge didnt actualy bother to even hear the case in trial, yet its suddenly become a "ruling" doesnt strike you as odd....!

theres no ruling here..., only a judge that on the face of it, didnt see fit to drag MS through yet another US court room case, you have to wonder if he really even bothered to look up, and read the current "real rulings" cases such as pointed out in the linked original story above.

"New Jersey Supreme Court ruled that Internet service providers can't disclose a subscriber's IP address to the police without a grand jury subpoena.
...
"We now hold that citizens have a reasonable expectation of privacy ... in the subscriber information they provide to internet service providers--just as New Jersey citizens have a privacy interest in their bank records stored by banks and telephone billing records kept by phone companies," the court stated in its unanimous decision. "

"...
W ith the case, the New Jersey Supreme Court joined European authorities in holding that IP addresses are private.

The ruling seems to signal that the court is concerned about privacy erosion in a society where data is increasingly stored digitally. Lee Tien, a lawyer with the digital rights group Electronic Frontier Foundation, called the holding a "harbinger of a trend" toward protecting online privacy. That organization, along with the ACLU, Electronic Privacy Information Center and others, filed a friend of the court brief in the case.

The New Jersey court specifically examined not just IP addresses, but also the clickstream data associated with particular addresses, and appeared to find an expectation of privacy in that data as well. "With a complete listing of IP addresses, one can track a person's Internet usage," the opinion reads. The court then quoted a law review article by privacy expert Daniel Solove for the proposition that clickstream data can allow the government to learn "the names of stores at which a person shops, the political organizations a person finds interesting, a person's ... fantasies, her health concerns, and so on."

The court went on to hold that users only disclose information to Internet service providers for the limited purpose of being able to access the Web "and not to promote the release of personal information to others."

Re:

Addresses can be spoofed, both IP and MAC.

Any references or tips on a practical way to “spoof” an IP address? Because I’m currently spending a lot of time in Costa Rica, and I’m about ready to punch a hole in my monitior the next time I follow a link to a video only to be told I can’t see it because I’ve committed the unpardonable sin of not being physically located in the god-blessed United States.

Colises, you need to use the right tool for the right job, in your case with trying to gain access to such a repressive country as the US , your first port of call would be to use a selection of these proxys so as to appear inside the US borders on your temp ISP connection rather than IP spoofing.